Usage¶
tartufo¶
Find secrets hidden in the depths of git.
Tartufo will, by default, scan the entire history of a git repository for any text which looks like a secret, password, credential, etc. It can also be made to work in pre-commit mode, for scanning blobs of text as a pre-commit hook.
tartufo [OPTIONS] COMMAND [ARGS]...
Options
-
--rules
<rules>
¶ [DEPRECATED] Use the rule-patterns config options instead. Path(s) to regex rules json list file(s).
-
--default-regexes
,
--no-default-regexes
¶
Whether to include the default regex list when configuring search patterns. Only applicable if –rules is also specified.
- Default
True
-
--entropy
,
--no-entropy
¶
Enable entropy checks.
- Default
True
-
--regex
,
--no-regex
¶
Enable high signal regexes checks.
- Default
True
-
--scan-filenames
,
--no-scan-filenames
¶
Check the names of files being scanned as well as their contents.
- Default
True
-
-of
,
--output-format
<output_format>
¶ Specify the format in which the output needs to be generated –output-format json/compact/text. Either json, compact or text can be specified. If not provided (default) the output will be generated in text format.
- Options
json|compact|text
-
-od
,
--output-dir
<output_dir>
¶ If specified, all issues will be written out as individual JSON files to a uniquely named directory under this one. This will help with keeping the results of individual runs of tartufo separated.
-
--git-rules-repo
<git_rules_repo>
¶ A file path, or git URL, pointing to a git repository containing regex rules to be used for scanning. By default, all .json files will be loaded from the root of that repository. –git-rules-files can be used to override this behavior and load specific files.
-
--git-rules-files
<git_rules_files>
¶ Used in conjunction with –git-rules-repo, specify glob-style patterns for files from which to load the regex rules. Can be specified multiple times.
-
--config
<config>
¶ Read configuration from specified file. [default: tartufo.toml]
-
-q
,
--quiet
,
--no-quiet
¶
Quiet mode. No outputs are reported if the scan is successful and doesn’t find any issues
-
-v
,
--verbose
¶
Display more verbose output. Specifying this option multiple times will incrementally increase the amount of output.
-
--log-timestamps
,
--no-log-timestamps
¶
Enable or disable timestamps in logging messages.
- Default
True
-
--entropy-sensitivity
<entropy_sensitivity>
¶ Modify entropy detection sensitivity. This is expressed as on a scale of 0 to 100, where 0 means “totally nonrandom” and 100 means “totally random”. Decreasing the scanner’s sensitivity increases the likelihood that a given string will be identified as suspicious.
- Default
75
-
-b64
,
--b64-entropy-score
<b64_entropy_score>
¶ [DEPRECATED] Use –entropy-sensitivity. Modify the base64 entropy score. If a value greater than the default (4.5 in a range of 0.0-6.0) is specified, tartufo lists higher entropy base64 strings (longer or more randomized strings. A lower value lists lower entropy base64 strings (shorter or less randomized strings).
-
-hex
,
--hex-entropy-score
<hex_entropy_score>
¶ [DEPRECATED] Use –entropy-sensitivity. Modify the hexadecimal entropy score. If a value greater than the default (3.0 in a range of 0.0-4.0) is specified, tartufo lists higher entropy hexadecimal strings (longer or more randomized strings). A lower value lists lower entropy hexadecimal strings (shorter or less randomized strings).
-
-V
,
--version
¶
Show the version and exit.
pre-commit¶
Scan staged changes in a pre-commit hook.
tartufo pre-commit [OPTIONS]
Options
-
--include-submodules
,
--exclude-submodules
¶
Controls whether the contents of git submodules are scanned
- Default
False
scan-folder¶
Scan a folder.
tartufo scan-folder [OPTIONS] TARGET
Options
-
--recurse
,
--no-recurse
¶
Recurse and scan the entire folder
- Default
True
Arguments
-
TARGET
¶
Required argument
scan-local-repo¶
Scan a repository already cloned to your local system.
tartufo scan-local-repo [OPTIONS] REPO_PATH
Options
-
--since-commit
<since_commit>
¶ Only scan from a given commit hash.
-
--max-depth
<max_depth>
¶ The max commit depth to go back when searching for secrets.
- Default
1000000
-
--branch
<branch>
¶ Specify a branch name to scan only that branch.
-
--include-submodules
,
--exclude-submodules
¶
Controls whether the contents of git submodules are scanned
- Default
False
Arguments
-
REPO_PATH
¶
Required argument
scan-remote-repo¶
Automatically clone and scan a remote git repository.
tartufo scan-remote-repo [OPTIONS] GIT_URL
Options
-
--since-commit
<since_commit>
¶ Only scan from a given commit hash.
-
--max-depth
<max_depth>
¶ The max commit depth to go back when searching for secrets.
- Default
1000000
-
--branch
<branch>
¶ Specify a branch name to scan only that branch.
-
-wd
,
--work-dir
<work_dir>
¶ Specify a working directory; this is where the repository will be cloned to before scanning.
-
--include-submodules
,
--exclude-submodules
¶
Controls whether the contents of git submodules are scanned
- Default
False
Arguments
-
GIT_URL
¶
Required argument